Security Basics mailing list archives
RE: Automated analysis of logs?
From: "Trevor Cushen" <Trevor.Cushen () sysnet ie>
Date: Thu, 10 Apr 2003 12:19:41 +0100
PERL is the answer to all your log questions. I sent on stuff before to members of this list to parse IIS logs and isolate good traffic from attacks based on known signatures such as "cmd.exe" etc and "....\....\..." type stuff. It could all be logged into a database and reports generated to your hearts content. Flashy web front ends are also possible and also the ability to graph the whole thing with GD::Graph routines. So again PERL is your answer. Well worth a look as it was built with log analysis and reporting in mind. OR Look at 'FastStats Analyzer' , 'http://www.10-strike.com/', and there are more via search engines. But for customised solutions I'm afraid you have to do it yourself. But it is worth it. -----Original Message----- From: H Carvey [mailto:keydet89 () yahoo com] Sent: 09 April 2003 13:03 To: security-basics () securityfocus com Subject: Re: Automated analysis of logs? In-Reply-To: <001d01c2fdf4$2c403c50$b600000a@alderon>
Are there any open-source applications that I can drop
various kinds of =
logs
into (especially IIS logs) and get not only
statistics, but information
and/or "warnings" about various kind of known activity?
I've written Perl scripts to do exactly this sort of thing. The big issue is that not everyone clicks on all of the check boxes when they configure IIS logging. When I worked at a telecomm company, we had an ISP that had a lot of IIS servers...it seemed as if no two had the same items checked! What I generally do is get an idea of what is the 'normal' activity. For example, on systems running OWA, one would expect to see queries that begin w/ "exchange". Then I start filtering out all normal traffic from the logs, narrowing that down. Hope that helps, Harlan ------------------------------------------------------------------- Is SPAM over-loading your e-mail server, disk space or bandwidth? SurfControl E-Mail Filter is flexible, intelligent and policy-driven protection. http://www.securityfocus.com/SurfControl-security-basics2 Download your free fully functional trial, complete with 30-days of free technical support. Stop SPAM before it stops you. ------------------------------------------------------------------- ****************************************************************************** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this message in error please notify SYSNET Ltd., at telephone no: +353-1-2983000 or postmaster () sysnet ie ****************************************************************************** ------------------------------------------------------------------- Is SPAM over-loading your e-mail server, disk space or bandwidth? SurfControl E-Mail Filter is flexible, intelligent and policy-driven protection. http://www.securityfocus.com/SurfControl-security-basics2 Download your free fully functional trial, complete with 30-days of free technical support. Stop SPAM before it stops you. -------------------------------------------------------------------
Current thread:
- Automated analysis of logs? Mark G. Spencer (Apr 08)
- Re: Automated analysis of logs? K. K. Mookhey (Apr 09)
- Re: Automated analysis of logs? Tomasz Onyszko (Apr 10)
- <Possible follow-ups>
- RE: Automated analysis of logs? Moeckel, Sharon (Apr 09)
- Event correlation and log Analysis techniques? Dr. S. A. Vetha Manickam (Apr 10)
- Re: Automated analysis of logs? H Carvey (Apr 09)
- RE: Automated analysis of logs? Trevor Cushen (Apr 10)
- RE: Automated analysis of logs? Kinsey, Robert (Apr 12)
- Re: Automated analysis of logs? Jon Pastore (Apr 14)
- RE: Automated analysis of logs? Kinsey, Robert (Apr 15)